The European Commission (the “EC”) has published (see link here) slides from its Task Force for Relations with the United Kingdom regarding the future relationship with the UK, in connection with personal data protection. The slides discuss a possible “adequacy” decision for the UK’s data protection regime, to be delivered by the EC by the end of the “transition period” which, under the draft Agreement on the Withdrawal of the UK from the EU (the “Withdrawal Agreement”), is currently envisaged to be December 31, 2020.
The slides were used for internal “preparatory discussions” and were presented on January 10, 2020 to the European Council’s Ad hoc Working Party on Article 50. The slides are not binding and are stated as being for “presentational and information purposes only”.
EEA to UK data transfers
The General Data Protection Regulation (the “GDPR”) only permits cross-border transfers of personal data to “third countries” where such transfers comply with the requirements laid down in Chapter 5 of the GDPR. A “third country” refers to a country other than the twenty eight Member States of the European Union (the “EU”) or Norway, Iceland and Liechtenstein, as the three further countries that belong to the European Economic Area (the “EEA”).
The UK is expected to leave the EU and the EEA on January 31, 2020 and will do so either:
- without a legally-binding Withdrawal Agreement in place (i.e., a “no deal” Brexit); or
- under a concluded Withdrawal Agreement, the current draft of which (see link here) provides for a transition period of 11 months (ending on December 31, 2020) and is to be implemented under the UK’s EU (Withdrawal Agreement) Bill (the “Withdrawal Bill”), which is working its way through the UK legislative process.
It is highly likely that the Withdrawal Agreement will be approved by the UK Parliament, resulting in the GDPR continuing to apply in the UK for the 11 month transition period. During this time, the legal framework for EEA-UK transfers of personal data would remain unaffected.
However, the EU data protection regime will cease to apply in the UK either (1) in the event of a “no deal” Brexit (which is still theoretically possible) from February 1, 2020, or (2) following the end of the transition period under the current draft of the Withdrawal Agreement (i.e., from January 1, 2021). In both scenarios, the UK will be deemed a “third country” for data transfer purposes under the GDPR. In this situation, a transfer of personal data from the EEA to the UK would only be permitted where the transfer complies with the requirements of Chapter 5 of the GDPR.
A future adequacy decision for the UK
An adequacy decision is an assessment by the EC that a “third country” provides an adequate level of protection for personal data, including that the third country offers guarantees ensuring a level of protection that is fundamentally equivalent to the protections ensured in the EU. A data transfer from a country in the EEA to an adequate third country is lawful under the GDPR without the need for additional safeguards. In the event that the UK is deemed to be an adequate jurisdiction by the EC, personal data flows from the EEA to the UK would be permitted to continue uninterrupted (despite the UK’s third country status).
Alternatives in the absence of an adequacy decision
The GDPR only permits cross-border transfers of personal data out of the EEA to third countries that do not have an adequacy decision if such transfers comply with certain conditions set forth in Chapter 5 of the GDPR. These include various mechanisms known as “appropriate safeguards”, notably:
- binding corporate rules – internal data protection policies that are legally binding throughout the entities in a corporate group. Binding corporate rules permit intragroup transfers only and need to be approved by a supervisory data protection authority; and
- standard contractual clauses – model clauses adopted by the EC (or adopted by supervisory authorities and approved by the EC) are incorporated into agreements between data exporters and importers, binding the data importer to standards similar to those under the EU data protection regime. The validity of such clauses is currently subject to scrutiny by the Court of Justice of the European Union.
Furthermore, in the absence of either an adequacy decision or “appropriate safeguards”, there are a limited number of statutory derogations permitting the transfer of personal data out of the EEA to non-adequate jurisdictions for specific situations. The derogations include, for example:
- explicit consent from the data subject;
- where the transfer is necessary for a contract either (i) with the data subject, or (ii) with a third party in the interest of a data subject; or
- for the establishment, exercise or defence of legal claims.
Encouragingly, the slides published by the EC earlier this month contemplate that an adequacy decision could be made in the UK’s favour by the end of the transition period, which would reduce the likelihood of any disruptions in data flows from the EEA to the UK. The slides outline the key principles of the current approach envisaged by the EU towards this issue. These principles remain consistent with both the EC’s Guidelines on the Framework for the Future EU-UK Relationship of March 23, 2018 (see link here) as well as the Revised Political Declaration on the Future UK-EU Relationship (see link here), namely that the general framework for data flows between the EEA and the UK should be an adequacy decision adopted by the EC if the UK’s data protection standards are deemed to provide an adequate level of protection to personal data.
The slides highlight the mutual benefits in the event that the EC adopts an adequacy decision for the UK post-Brexit, specifying that:
- “Exchanges of personal data are at the core of law enforcement and judicial cooperation, and increasingly important in the commercial area”;
- “Adequacy ensures the free flow of personal data”;
- “Alternative tools are available, but less comprehensive, less practical and more complex to put in place” ; and
- “Intended depth of future partnership with the UK in law enforcement and judicial cooperation in criminal matters would be facilitated by an adequacy decision”.
The slides note that adequacy decisions have already been adopted for 13 countries. They also outline:
- an envisaged timeline for the EC’s assessment of an adequacy decision for the UK, during the 11 month transition period until December 31, 2020 in the event that the UK departs from the EU on January 31, 2020 under a concluded Withdrawal Agreement; and
- the specific procedural steps through the EU’s institutional framework in order for such an adequacy decision to be formally adopted.
The slides conclude that the EC “will endeavor to finalise [its] adequacy assessment by the end of 2020” and that its “assessment in the context of law enforcement [will be] prioritised”. The EC could theoretically adopt its adequacy decision earlier this year (particularly given that the GDPR forms part of the UK’s current legislative framework under the Data Protection Act 2018). However, timing considerations for the EC’s decision may be forming a part of the EU’s wider political strategy for its Brexit negotiations with the UK. Although the slides are stated as being “without prejudice to discussions on the future relationship”, they serve as a helpful barometer to indicate the approach that the EC currently has towards the EU’s post-Brexit personal data relationship with the UK.
Businesses in the UK and in EEA countries should, therefore, see this as a positive indication from the EC with respect to post-Brexit personal data flows. However, it still remains important for organisations to continue their data protection compliance preparations given the remaining possibility (i) of a “no deal” Brexit, or (ii) that the EC does not adopt an adequacy decision for the UK before the end of the transition period. It is advisable for any agreements under which personal data is processed and transferred from the EEA to the UK that are to remain in force after December 31, 2020 to contain Brexit-specific provisions. These provisions should specify that, in the event of a “no deal” Brexit or the UK not having received an adequacy decision from the EC, personal data transfers from the EEA to the UK are made pursuant to standard contractual clauses that have been incorporated into the agreement.
 The Withdrawal Bill was passed by the UK’s House of Commons in December 2019 and has been reviewed by the House of Lords who (at time of writing) have proposed certain amendments which, if then rejected by the House of Commons as is most likely, will lead to the period in which the draft legislation moves back and forth between the two Houses until final agreement is reached.
 The Advocate General of the Court of Justice of the European Union (the “CJEU”) delivered his opinion on 19 December 2019 which held that the EC’s Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries is valid. The Advocate General’s advisory opinion is not binding on the CJEU which is currently expected (at time of writing) to deliver its judgment in the first half of 2020.